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^ Specification /I 

1 . Title of the Invention : 

RECORD UNIT SECURITY CONTROL FORMAT 

2. Claim 

A record unit security control format with the following 
characteristics: In a record unit security control format for 
protecting the security of records t in the direct access memory device 
(18), into which record information becomes memorized based on a 
recording format which uses a count unit, a key unit, and a data 
unit, 

The following are configured within the control device (14), which 
controls the aforementioned direct access memory device: 

The control mechanism (16), which attaches security information 
which is used for the determination of (in) accessibility to record 
units, and 

The security information inspection mechanism (17), which, in cases 
where records are decoded and encoded, determines the 
(in) accessibility by comparing for a potential match the designated 
security information and the security information attached to a 
record which serves as an access target. 



Numbers in the margin indicate pagination in the foreign text 
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3 . Detailed explanation of the invention 



(Summary) 

It concerns a record unit security control format for protecting 
the security of records in a direct access memory device into which 
record information becomes memorized based on a recording format 
which uses a count unit, a key unit, and a data unit, whereas 

Its objective to realize a security system which ensures a high 
degree of record unit security, whereas 

It is constituted by configuring the following within a control 
device which controls a direct access memory device: A control 
mechanism which attaches security information which is used for the 
determination of (in) accessibility to record units and a security 
information inspection mechanism which, in cases where records are 
decoded and encoded, determines the (in) accessibility by comparing 
for a potential match the designated security information and the 
security information attached to a record which serves as an access 
target. /2 

(Industrial application fields) 

The present invention concerns a record unit security control 
format for protecting the security of records in a direct access 
memory device into which record information becomes memorized based 
on a recording format which uses a count unit, a key unit, and a data 
unit . 
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In response to advanceduses of computer systems, the technology for 
protecting the security of data wherein data can be encoded and 
decoded exclusively by truly authorized individuals has become 
increasingly more important. Depending on application fields, it may 
become necessary to define security protection units in terms of 
record units rather than large aggregates of data such as files. 

(Prior art) 

Various security formats such as access control, flow control, 
password input, etc. are conceivable in the context of preventing 
improper accesses to data handled by computer systems. 

The security of data is realized by permitting the use of said data 
in relation exclusively to a properly authorized processing subject 
who uses said data. In a case where said data have been recorded on 
a direct access memory device (DASD) such as a magnetic disc device, 
etc., an I/O for said direct access memory device is issued, and it 
is necessary to execute protocols for referencing or modifying the 
memorized data under proper authority. 

Volumes, files, etc. are conceivable as such security protection 
units, and the goal has mainly been realized in the prior art based 
on the control of an operating system (OS) . No mechanism for 
assigning a security function to each record unit memorized in the 
direct access memory device has, however, been realized. 

(Problems to be solved by the invention) 
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In a case where a single file is constituted by multiple records of 
variable lengths, it may become necessary to allow or prohibit the 
referencing and/or renewal of data in manners specific to the types 
of the individual records. 

As far as the format of the prior art is concerned, however, the 
security function cannot be designated for the record unit, and 
accordingly, it has been necessary to classify files depending on 
security protection levels and to formulate a separate file by 
clustering a group of records with a mutually equivalent security 
protection level. 

In such a case, it becomes unavoidable to access multiple files in 
the context of processing a series of data, which is problematic in 
that the routine becomes complicated, accompanied by increased 
burdens on the processing time and memory capacity. 

The possibility of determining the (in) accessibility of data within 
a record which has been opened within a main memory device based on a 
software logic operation is also being contemplated, but it is 
impossible to directly prohibit an improper access of a record within 
a direct access memory device based solely on the software routine of 
a mainframe processing unit, which is problematic in that the 
security protection becomes insufficient. 

In a case where security information is memorized and managed at a 
site different from that of a record which serves as a security 
protection target, furthermore, it is problematic in that an 
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additional security protection mechanism becomes necessary for 
preventing the tampering of the security information itself. 

The objective of the present invention, which attempts to solve the 
aforementioned problems, is to realize a security system which 
affords a high degree of record unit security. 

(Mechanism for solving the problems) 

Figure 1 is a principle block for the present invention. 
In Figure 1, (10) is a processing device which consists of a CPU, 
memory, etc., whereas (11) is an access request unit through which 
the access to each record is requested, whereas (12) is an 
input/output management unit which manages the input and/or output 
actions of the operating system, whereas (13) is a channel device, 
whereas (14) is a control device which controls devices connected 
with it, whereas (15) is a microprocessor (MPU) , whereas (16) is a 
security information recording control mechanism, whereas (17) is a 
security information inspection mechanism, whereas (18) is a direct 
access memory device (e.g., disc pack device, etc.). 

/3 

The direct access memory device (18) is a device into which records 
which serve as security protection targets in the present invention 
are memorized, and it is constituted to memorize record information 
based on a recording format which uses the count unit (C) , key unit 
(K), and the data unit (D) . Incidentally, (HA) is a home address 
which shows the top of a track. 
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As far as the present invention is concerned, the security label (S) 
is designed to be attached to each record. The security label (S) is 
constituted by the level (L) , which shows the hierarchical order of 
security, and the category (C) , which shows the application range. 
Security labels (S) of the same contents are scheduled to be stored 
in the key unit (K) and data unit (D) in this example. The security 
label (S) is assigned to the key unit (K) and data unit (D) for 
purposes of enabling positioning vis-a-vis each record and the 
inspection of security during data encoding and/or decoding 
operations independently during or after the positioning operation 
and of elevating the processing speed. 

For realizing the security by the record unit, the control device 
(14) possesses the security information recording control mechanism 
(16), which is based on farmware [sic], and the security information 
inspection mechanism (17) . 

The security information recording control mechanism (16) engages 
in a control protocol whereby records are encoded into the direct 
access memory device (18) via the count unit (C) , key unit (K) , and 
the data unit (D) while the security label (S) is being attached to 
said records. 

The security information inspection mechanism (17) compares for a 
potential match the security information designated by a preceding 
channel command and the security label (S) attached to the record 
during the encoding and/or decoding of said record for the purpose of 
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controlling the determination of the (in) accessibility to said 
record. 

(Functions) 

As far as the present invention is concerned, the security 
information is attached to the records which are being stored in the 
direct access memory device (18) themselves, and the 
(in) accessibility to each record is checked by the control device 
(14) during a record encoding and/or decoding operation. The 
execution of an input/output request which ignores the security 
information therefore becomes prohibited by the control device (14), 
based on which the goal of the security protection of each record in 
the direct access memory device (18) can be achieved. 

As far as the designation of the security information to be used 
for the determination of (in) accessibility is concerned, the security 
protection by the record unit can be realized by inducing the 
input /output management unit (12) to add a channel program for 
designating the security information before a user's channel program 
(CCW) without modifying the extant user's channel program. 

The inspection of security is executed automatically by the control 
device (14), and therefore, there is virtually no software overhead 
imputed to the processing device (10) . 

(Application examples) 
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Figure 2 instantiates the record format of an application example 
of the present invention, whereas Figure 3 is a constitutional 
diagram for the disc control device of [said] application example of 
the present invention, whereas Figure 4 instantiates data encoding 
commands in [said] application example of the present invention, 
whereas Figure 5 instantiates the data encoding control of [said] 
application example of the present invention, whereas Figure 6 
instantiates the security check of the data encoding operation of 
[said] application example of the present invention, whereas Figure 7 
instantiates the data encoding commands of [said] application example 
of the present invention, whereas Figure 8 instantiates the data 
encoding control of [another] application example of the present 
invention, whereas Figure 9 instantiates the security check of the 
data encoding operation of [another] application example of the 
present invention . 

The present invention handles the security protection of record 
information in a direct access memory device for recording records of 
variable lengths, namely the so-called "CKD-DASD." Its record format 
is shown in Figure 2. Its constitution is identical to that of the 
prior art except that information on the security label (S) is added. 

The count unit (C) possesses the following sets of information: 
* F: Flag (a display which indicates the pervasion of either the 
format of the prior art or an expanded format which possesses the 
security label (S) is additionally rendered as this flag) ; 

* CC: Cylinder No. ; 
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* HH : Head No . ; 

* R: Record No. ; 



* S: Length of the security label (newly configured); 
* K: Length of the key unit; 
* DD: Length of the data unit. 
The security labels (S) , furthermore, are recorded onto the 
respective tops of the key unit (K) and data unit (D) . The contents 
of the security label (S) in the key unit (K) and the contents of the 
security label (S) in the data unit (D) are mutually identical. 

Figure 3 (i) shows a constitutional example of the disc control 
device (20), which instantiates one application example of the 
present invention. 

The disc control device (20) , which is connected to a channel device 
of a higher hierarchical order and the disc pack device (24), which 
serves as a direct access memory device, controls said disc pack 
device (24) . It possesses the channel interface (21) on the channel 
device side and the device interface (23) on the disc pack device 
(24) side. It additionally possesses the microprocessor (15), which 
controls their interface via a microprogram, and the data buffer 
(22) . 

The following are configured on the data buffer (22), as Figure 3 (ii) 
indicates: The security information save zone (25), the command 
buffer (26), in which channel commands are saved, the security 
information judgment result memory unit (27), in which judgment 
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results on security information are memorized, the count buffer (28), 
which pertains to inputted and/or outputted records, the key buffer 
(29), and the data buffer (30). 

Figure 4 shows examples of channel commands which are used in cases 
where data on records to which the security label (S) has been 
attached are encoded. The channel program of this embodiment is 
formulated in terms of the commands (a) through (e) shown below: 

(a) : SSD: Security information designation command 

This command is orchestrated for designating new security 
information. A label and a category corresponding to the security 
label (S) are designated by this SSD command. The level and the 
length may each be variably designated depending on applications. 

(b) : TIC: Branch command 

The prevailing status is hereby branched into the channel program (CCW) 
formulated by the user. In other words, these commands (a) and (b) 
are each orchestrated for inducing the input/output management unit 
(12) shown in Figure 1 to add said commands to the channel program 
formulated by the access request unit (11) . 

(c) : SID: Search ID command 

(d) : TIC: Branch command 

(e) : RD: Read data command 

These commands (a) through (e) are equivalent to the commands which 
have been used in the prior art for accessing the CKD-DASD. 

In response to the channel commands shown in Figure 4, the 
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microprocessor (15) of the disc control device (20) shown in Figure 3 
engages in the control routine shown in Figure 5: 

(a) : In response to the SSD command, the security information 
designated by the command is saved into the security information save 
zone (25) of the data buffer (22); 

(b) : Next, in response to the TIC command, the prevailing status is 
branched into the following user CCW for enabling data encoding; 

(c) : In response to the SID command, the count unit of the record 
is encoded into the data buffer (22) from the direct access memory 
device, and whether or not it is the count unit of the designated 
record is inspected. In a case where a non-designated position has 
been judged, the count unit inspection is repeated until the 
completion of the search; 

In a case where it has been judged to be the count unit of the 
designated position, the security label (S) of the key unit or data 
unit and the security information saved into the security information 
save zone (25) are compared for a potential match, and the 
(in) feasibility of positioning is thus determined; 

(d) : In a case where the positioning is "feasible," a transition is 
made to the stage next to the TIC command, whereas in a case where 
the same is "inf easible, " the search of (c) is repeated; 

(e) : In response to the RD command, the security information of the 
data unit is compared, and in an accessible case, the data of the 
data unit are encoded, whereas in an inaccessible case, an I/O error 
is judged. This check of the security information may be dispensed 
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with in a case where this RD command is chained to the SID + TIC 
commands. The check is indispensable in a case where it is chained 
to the commands of a READ system or WRITE system. 

/5 

A case where the security information shown in Figure 6 (i) has 
been designated by the SSD command during the encoding of data may, 
for example, be hypothesized. A higher value of the level 
information L signifies a higher security order. The category 
information C is defined by a 1-bit flag depending on the type of 
information. The level and category designated by the SSD command 
are hereby assumed to be SSD-L and SSD-C, respectively, and the level 
and category of the security label (S) which is being designated 
within the record as record-L and record-C, respectively, and in such 
a case, the conditions for enabling the encoding of data are 
stipulated as follows: 

SSD-L > record-L AND 
SSD-C z> record-C. 

In a case where data are encoded into the records shown in Figure 6 
(ii) based on the designation of the security information shown in 
Figure 6 (i) , the encodings of the first and second records become 
possible under the aforementioned security conditions. In a case 
where encoding into the third record becomes commanded, an I/O error 
is judged due to a level mismatch. 

Figures 6 (iii) and (iv) show another example. 
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In a case where data are encoded into the records shown in Figure 6 (iv) 
based on the designation of the security information shown in Figure 
6 (iii), the encoding of the first record is impossible due to a 
failure to meet the category requirement, and the encoding of the 
third record is impossible due to a level mismatch. Thus, only the 
second record is encodable. 

Figure 7 shows examples of channel commands which are used in a case 
where data are encoded into records to which the security label (S) 
has been attached. The commands of (a) through (d) are comparable to 
the data encoding commands shown in Figure 4, whereas the WD command 
of (e) is a command which instructs the encoding of data. 

In response to these channel commands shown in Figure 7, the 
microprocessor (15) of the disc control device (20) shown in Figure 3 
engages in the control routine shown in Figure 8 . 

(a) : In response to the SSD command, the security information 
designated by said command is saved into the security information 
save zone (25) of the data buffer (22) . 

(b) : Next, in response to the TIC command, the prevailing status is 
branched into the following user CCW for enabling data encoding; 

(c) : In response to the SID command, the count unit of the record 
is encoded into the data buffer (22) from the direct access memory 
device, and whether or not it is the count unit of the designated 
record is inspected. In a case where a non-designated position has 
been judged, the count unit inspection is repeated until the 
completion of the search; 
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In a case where it has been judged to be the count unit of the 
designated position, the security label (S) of the key unit or data 
unit and the security information saved into the security information 
save zone (25) are compared for a potential match, and the 
(in) feasibility of positioning is thus determined; 

(d) : In a case where the positioning is "feasible," a transition is 
made to the stage next to the TIC command, whereas in a case where 
the same is "inf easible, " the search of (c) is repeated; 

(e) : In response to the WD command, the security information of the 
data unit is compared, and in an accessible case, the data of the 
data unit are encoded, whereas in an inaccessible case, an I/O error 
is judged. This check of the security information may be dispensed 
with in a case where this RD command is chained to the SID + TIC 
commands. The check is indispensable in a case where it is chained 
to the commands of a READ system or WRITE system. 

A case where the security information shown in Figure 9 (i) has 
been designated by the SSD command during the encoding of data may, 
for example, be hypothesized. The level and category designated by 
the SSD command are hereby assumed to be SSD-L and SSD-C, 
respectively, and the level and category of the security label (S) 
which is being designated within the record as record-L and record-C, 
respectively, and in such a case, the conditions for enabling the 
encoding of data are stipulated as follows (opposite of that under 
the conditions of the READ mode) : 

SSD-L < record-L AND 
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SSD-C c record-C. /6 
In a case where data are encoded into the records shown in Figure 9 
(ii) based on the designation of the security information shown in 
Figure 9 (i) , the encodings of the second and third records become 
possible under the aforementioned security conditions. In a case 
wheeecoding into the first record becomes commanded, an I/O error is 
judged due to a level mismatch. 

Figures 9 (iii) and (iv) show another example. 
In a case where data are encoded into the records shown in Figure 9 
(iv) based on the designation of the security information shown in 
Figure 9 (iii) , the only encodable record is the third record by 
default . 

Incidentally, in the context of handling the security information, 
various commands other than the SSD command may, if necessary, be 
easily supported by redesignating the farmware in the control device. 
In order to achieve interchangeability, for example, in the cases of 
a command for synchronously encoding the count unit, key unit, and 
the data unit (READ CKD command) , notifications are rendered after 
the information of the security label (S) has been removed. The 
following commands, furthermore, are designated anew for decoding the 
security label (S) : (1) : READ C & S command; (2) : READ K & S command 1 
(3): READ KD & S command; (4): READ CKD & S command; etc. Commands 
specific to the format for designating the security label (S) are 
likewise prepared for commands for the WRITE system. 
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(Effects of the invention) 

As the foregoing explanations have demonstrated, the present 
invention enables none other than authorized subjects to encode and 
decode based on the attachment of security information to records, 
based on which a security system with a high level of security can be 
realized while the security protection range is being defined in 
terms of the record unit. Since the records themselves possess the 
security information, furthermore, the loss of protection in response 
to transfers of data can be avoided, and improper uses (e.g., copy, 
etc.) can also be prevented. 

4 . Brief explanation of the figures 

Figure 1 is a principle block for the present invention. 
Figure 2 instantiates the record format of an application example of 
the present invention. 

Figure 3 is a constitutional diagram for the disc control device of 
[said] application example of the present invention. 

Figure 4 instantiates data encoding commands in [said] application 
example of the present invention. 

Figure 5 instantiates the data encoding control of [said] 
application example of the present invention. 

Figure 6 instantiates the security check of the data encoding 
operation of [said] application example, of the present invention. 

Figure 7 instantiates the data encoding commands of [said] 
application example of the present invention. 
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Figure 8 instantiates the data encoding control of [another] 
application example of the present invention. 

Figure 9 instantiates the security check of the data encoding 
operation of [another] application example of the present invention. 

In the figures, the notations denote the following: (10) : 
Processing device; (11) : Access request unit; (12) : Input/output 
management unit; (13): Channel device; (14): Control device; (15): 
Microprocessor; (16) : Security information recording control 
mechanism; (17) : Security information inspection mechanism; (18) : 
Direct access memory device; (S) : Security label. 

Patent Applicant: Fujitsu, Ltd. 

Agents: Kichiyoshi Ogasawara, patent attorney (and two others) 
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Figure 1 
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[(0): Principle block diagram of the present invention; (10): 
Processing device (CPU/memory); (11): Access request unit; (12): 
Input/output management unit; (13) : Channel device; (14) : Control 
device; (16) : Security information recording control mechanism; (17) : 
Security information inspection mechanism; (18) : Direct access memory 
device (D & SD) ; (R) : -Record; (S) : Security label; (L) : Label; (C) : 
Category] 
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Figure 2 
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[(0): Example of record format] 



Figure 3 
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[(0): Disc control device constitutional diagram; (C) : To channel 
device; (20): Disc control device; (21)': Channel interface; (22): 
Data buffer; (23) : Device interface; (24) : Disc pack device; (25) : 
Security information save zone; (26) : Command buffer; (27) : Security 
information- judgment result memory unit; (28) : Count buffer; (29) : 
Key buffer; (30) : Data buffer] 

Figure 4 
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[(0): Examples of data encoding commands; (1): Level length; (2): 
Category length; (3) : Level; (4) : Category; (5) : Variable length] 
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Figure 5 
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[ (0) : Example of data encoding control; (1): Saving of security 
information; (2) : Branching into user CCW; (3) : Encoding of count 
unit into data buffer and inspection of its coincidence with 
designated count unit or lack thereof; (4): Designated position? ; 
(5) : Inspection of security information; (6) : Positioning feasible?; 
(7) : Comparison of security information of data unit and encoding of 
data if OK; (8): Search- complete?; (8): I/O error] 
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Figure 7 
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[ (0) : Examples of data encoding commands] 



Figure 8 
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[(0): Example of data encoding control; (1): Saving of security 
information; (2) : Branching into user CCW; (3) : Encoding of count 
unit into data buffer and inspection of its coincidence with 
designated count unit or lack thereof; (4): Designated position?; 
(5) : Inspection of security information; (6) : Positioning feasible?; 
(7) : Comparison of security information of data unit and encoding of 
data if OK; (8): Search complete?; (8): I/O error] 

Figure 6 /B 
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[(0): Example of security check during data encoding; (1): First 
record; (2): Second record; (3): Third record; (4): Product A 
information; (5): Product B information; (6): Product C information; 
(7): Product D information; (L) : Level information; (C): Category 
information; (C) : Count unit; (K) : Key unit; (D) : Data unit; (S) : 
Security label] 
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[(0): Example of security check during data encoding; (1): First 
record; (2): Second record; (3): Third record; (C) : Count unit; (K) : 
Key unit; (D) : Data unit; (S) : Security label] 
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